Skip to content

CONCEPT Cited by 1 source

Device trust

Device trust is the security posture where a specific piece of hardware — typically an employer-managed laptop — is provisioned with a short-lived cryptographic credential (commonly an X.509 certificate in the OS keystore) that attests to the device's compliance with corporate security policy. Actions performed from the device (network access, code commits, API calls) can cryptographically prove they originated on a trusted device, independent of and complementary to the user's identity credentials.

Contrast with:

  • User trust — "is this the authenticated human?" (solved by SSO / MFA / federated identity).
  • Network trust — "is this coming from the corporate LAN / VPN?" (solved by VPN / zero-trust network access).

Device trust is the third leg that answers "is this coming from a corporate-managed endpoint in a compliant state?"

Typical implementation

  • An MDM or device-management agent provisions an X.509 certificate to the device keystore (macOS Keychain, Windows Cert Store, TPM on Linux) during enrollment.
  • The certificate is issued by an internal CA and is short-lived (days to weeks) so compromised devices stop being trusted quickly.
  • An automatic renewal mechanism runs on the device — as long as the device stays compliant, the cert is re-issued before expiry.
  • The private key never leaves the device keystore; signing/auth operations call into the keystore rather than exposing the key.

Seen in

  • sources/2026-04-21-figma-enforcing-device-trust-on-code-changes — Figma's company-managed MacBooks carry a 15-day-rotated device trust X.509 certificate in the macOS Keychain. The certificate is used by S/MIME commit signing to cryptographically attest that a Git commit originated on a trusted Figma MacBook. Verification at GitHub-push time against the internal device-trust CA gates merges into release branches.
Last updated · 200 distilled / 1,178 read